Closed Bug 1668197 Opened 4 years ago Closed 4 years ago

[warp] Crash [@ WarpCacheIRTranspiler::emitMathHypot2NumberResult]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
83 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox81 --- wontfix
firefox82 --- wontfix
firefox83 --- fixed

People

(Reporter: gkw, Assigned: iain)

References

(Regression)

Details

(Keywords: csectype-nullptr, regression, testcase)

Crash Data

Attachments

(1 file)

Bug 1668197: Handle OOM in MHypot::New r=jandem
47 bytes, text/x-phabricator-request
Details | Review 
function f(x, y) {
    return (~Math.hypot(y >>> 0, 2 - x >>> 0));
}
f(2, Math);
oomTest(f);

(gdb) bt
#0  WarpCacheIRTranspiler::emitMathHypot2NumberResult (this=0x7fffffffa0e8, firstId=..., secondId=...) at /home/skygentoo/trees/mozilla-central/js/src/jit/WarpCacheIRTranspiler.cpp:2295
#1  0x0000555557e18bc2 in WarpCacheIRTranspiler::emitMathHypot2NumberResult (this=0x7fffffffa0e8, reader=...) at /home/skygentoo/trees/mozilla-central/js/src/jit/WarpCacheIRTranspiler.cpp:203
#2  WarpCacheIRTranspiler::transpile (this=0x7fffffffa0e8, inputs=...) at /home/skygentoo/trees/mozilla-central/js/src/jit/WarpCacheIRTranspiler.cpp:234
#3  0x0000555557e154e8 in js::jit::TranspileCacheIRToMIR (builder=<optimized out>, loc=..., cacheIRSnapshot=0x200, inputs=..., maybeCallInfo=0x7fffffffa2e0) at /home/skygentoo/trees/mozilla-central/js/src/jit/WarpCacheIRTranspiler.cpp:3961
#4  0x0000555557e1538f in js::jit::WarpBuilder::transpileCall (this=0x7fffffffa570, loc=..., cacheIRSnapshot=0x7ffff69ed408, callInfo=0x7fffffffa2e0) at /home/skygentoo/trees/mozilla-central/js/src/jit/WarpBuilder.cpp:1782
#5  0x0000555557e15af9 in js::jit::WarpBuilder::buildCallOp (this=0x7fffffffa570, loc=...) at /home/skygentoo/trees/mozilla-central/js/src/jit/WarpBuilder.cpp:1811
#6  0x0000555557dff41a in js::jit::WarpBuilder::buildBody (this=0x7fffffffa570) at /home/skygentoo/trees/mozilla-central/js/src/jit/WarpBuilder.cpp:677
#7  0x0000555557dfe9ba in js::jit::WarpBuilder::build (this=0x7fffffffa570) at /home/skygentoo/trees/mozilla-central/js/src/jit/WarpBuilder.cpp:296
#8  0x00005555580db73e in js::jit::CompileBackEnd (mir=0x7ffff69ed210, snapshot=0x7ffff69ed518) at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:1475
#9  0x00005555580e9437 in js::jit::IonCompile (cx=0x7ffff6927000, script=..., baselineFrame=0x7fffffffac40, baselineFrameSize=80, osrPc=0x0, recompile=false, optimizationLevel=js::jit::OptimizationLevel::Full) at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:1756
#10 0x00005555580dcafb in js::jit::Compile (cx=0x7ffff6927000, script=..., osrFrame=0x7fffffffac40, osrFrameSize=80, osrPc=0x0, forceRecompile=false) at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:1973
#11 0x00005555580dd234 in BaselineCanEnterAtEntry (cx=0x7ffff6927000, script=..., frame=0x7fffffffac40, frameSize=80) at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:2101
#12 IonCompileScriptForBaseline (cx=0x7ffff6927000, frame=0x7fffffffac40, frameSize=<optimized out>, pc=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:2227
#13 0x00003930cbc670e5 in ?? ()
#14 0x00000000000003c0 in ?? ()
#15 0x00007fffffffac20 in ?? ()
#16 0x0000555558d52280 in js::jit::vmFunctions ()
#17 0x00003930cbce9536 in ?? ()
#18 0x0000000000005821 in ?? ()
#19 0x00007fffffffac40 in ?? ()
#20 0x0000000000000000 in ?? ()
(gdb)

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/895c8b18a46b
user:        Jan de Mooij
date:        Tue Sep 01 15:23:01 2020 +0000
summary:     Bug 1662366 part 1 - Remove some TODOs in WarpOracle. r=iain

Run with --fuzzing-safe --no-threads --ion-eager --warp, compile with AR=ar sh ./configure --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests, tested on m-c rev d286def58a48.

Again unsure if this is s-s, and also the patch in bug 1667685 does not fix this. Moreover their bisection windows and runtime flags are different. Jan, probably related to bug 1662366?

Flags: sec-bounty?
Flags: needinfo?(jdemooij)

Iain, can you take this? I think it's just missing a nullptr check for MHypot::New in a few places.

Flags: needinfo?(jdemooij) → needinfo?(iireland)

Regression info is wrong.

No longer regressed by: 1662366

In addition to the calls in the transpiler, MHypot::New is also called in the MHypot clone implementation.

I checked the other fallible New methods, and it looks like we are handling everything else correctly.

Assignee: nobody → iireland
Status: NEW → ASSIGNED

This is regressed by bug 1648820. My patch also fixes a similar pre-existing bug. Neither bug is a security concern; we just end up dereferencing a null pointer on OOM.

Flags: sec-bounty?
Flags: needinfo?(iireland)
Severity: -- → S3
Priority: -- → P1
Has Regression Range: --- → yes

https://hg.mozilla.org/mozilla-central/rev/cb4534b7dbb7

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox83: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch

The patch landed in nightly and beta is affected.
:iain, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(iireland)

I don't think this would be important enough to uplift even if warp was enabled in beta, which it isn't.

status-firefox82: affectedwontfix
Flags: needinfo?(iireland)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: